Adding firewall rule by protocol number
Hi - is it possible to add a firewall rule by protocol number (i.e. GRE) for a standard network? It is possible to do this for a VPC ACL, but I can't seem to make it work for standard network types. Thanks, Simon Murphy Solutions Architect ViFX | Cloud infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 2854519 www.vifx.co.nz/bloghttp://www.vifx.co.nz/blog follow us on twitterhttps://twitter.com/ViFX follow us on Pinterest http://pinterest.com/vifx/technology-trends/ Auckland | Wellington | Christchurch [cid:image012.jpg@01CE70DD.FCDE3F30] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
Routing from VPC Private Gateway to Internet (4.2.1)
Does anyone know if it should be possible to route from a customer network on the private gateway to the internet? When I set this up there is no NAT rule created on the VPC and PC’s on the customer network cannot get to the internet. The customer would like to use the VPC connection to access the internet. Is this possible? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
Re: Routing from VPC Private Gateway to Internet (4.2.1)
It will not let me add a CIDR of 0.0.0.0/0 as it overlaps with the internal VPC range. When adding a specific address (8.8.8.8/32) an error is thrown. I would have thought that routing from private gateway to the internet is a pretty standard scenario? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nz http://www.vifx.co.nz/ follow us on twitter https://twitter.com/ViFX Auckland | Wellington | Christchurch experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network. On 9/04/14 12:48 pm, Sanjeev Neelarapu sanjeev.neelar...@citrix.com wrote: Hi, Private gateway on vpc is used to reach the resources not part of cloudstack but are present in same data center. Try adding a static route with destination as 0.0.0.0/0 via the private gateway. --Sanjeev On Apr 8, 2014 5:43 PM, Simon Murphy simon.mur...@vifx.co.nz wrote: Does anyone know if it should be possible to route from a customer network on the private gateway to the internet? When I set this up there is no NAT rule created on the VPC and PC¹s on the customer network cannot get to the internet. The customer would like to use the VPC connection to access the internet. Is this possible? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
Re: CloudStack DR Approach (not HA)
It is well and good to say that this feature will not be developed - but 100% of our customers are asking us for this kind of functionality. Most of our customers are traditional enterprises who who have invested vast sums of money on SAN/NAS environments, and they typically run large VMware farms. Today they are able to implement a DR Solution by using SAN/Hypervisor replication and automation tools such as VMWare SRM. This typically works very well (at a cost), considering some of our customers have over 800 applications in their portfolio. Most, if not all of our customers run very traditional, vertically scaling applications that are central to their business. Assuming they are going to re-write their very complex and expensive application stack so that they can leverage cloud technologies is a flawed argument. The cost of such an exercise may run into the 10¹s of millions for some organisations. In any case, I really hope this feature is developed. Without it, Cloudstack (and other cloud platforms) will make limited headway into risk adverse enterprise accounts who have had this capability for many years. Although I fundamentally agree that to really harness the power of cloud, your applications should be Œcloud native¹, I also think that cloud platforms should be flexible enough to cater for traditional workloads and not doing so it a major inhibitor to cloud adoption for enterprises. Simon Murphy Solutions Architect ViFX | Cloud Infrastructure On 27/03/14 4:13 am, Nux! n...@li.nux.ro wrote: On 26.03.2014 14:34, Geoff Higginbottom wrote: Until we reach the utopia of all workloads being cloud-era workloads, the Zone HA feature is still very high on people's wish list. This feature can be on their list all they want, it's _extremely_ unlikely it will happen any time soon. Imagine the amount of efort required to replicate tons of storage and the omnipresent danger of split-brains... this has DISASTER written all over it, not RECOVERY. :-) The application needs to be cloud-aware as you say, in most cases this is actually doable; though of course, some people are stuck with old technology - they can just live with the risk or adapt to a cloud environment. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Domain wide template
Is it possible to register a template to a domain so that only accounts in that domain can deploy from the template? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
RE: Isolated Network with no Services
works using the api. thanks. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Murali Reddy [murali.re...@citrix.com] Received: Tuesday, 10 Dec 2013, 12:42am To: d...@cloudstack.apache.org [d...@cloudstack.apache.org]; users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Isolated Network with no Services From the UI yes, you can try with API directly. On 09/12/13 12:19 PM, Simon Murphy simon.mur...@vifx.co.nz wrote: I can successfully create the network offering with no services, however when I go to deploy it is not listed under the available network offerings.Seems like only Isolated Networks with SourceNAT enabled are displayedŠis this correct? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz http://www.vifx.co.nz/ follow us on twitter https://twitter.com/ViFX Auckland | Wellington | Christchurch experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network. On 3/12/13 6:29 PM, Murali Reddy murali.re...@citrix.com wrote: HTH http://blog.remibergsma.com/2012/03/10/howto-create-a-network-in-cloudsta c k-without-a-virtual-router/ From: Simon Murphy simon.mur...@vifx.co.nzmailto:simon.mur...@vifx.co.nz Reply-To: d...@cloudstack.apache.orgmailto:d...@cloudstack.apache.org d...@cloudstack.apache.orgmailto:d...@cloudstack.apache.org Date: Tuesday, 3 December 2013 8:15 AM To: users@cloudstack.apache.orgmailto:users@cloudstack.apache.org users@cloudstack.apache.orgmailto:users@cloudstack.apache.org, d...@cloudstack.apache.orgmailto:d...@cloudstack.apache.org d...@cloudstack.apache.orgmailto:d...@cloudstack.apache.org Subject: Isolated Network with no Services Is it possible to configure a network offering for an isolated network that has no services? I would like to give the customer the option to create a network that is totally isolated (no L3 connectivity) so that they can bring their own software router/firewall. The isolated network would be connected to other networks via the customers virtual router. I can create the network offering however it is not listed as an available service when I try to create the network. Cheers, Simon Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
SRX/ASA and ACS VPC
Is it possible to offload firewall, SourceNAT and inter-VLAN routing functions to hardware devices for VPC networks? Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
RE: cloudstack + vmware
that functionality does not exist, and it is a big problem for us too. hopefully someone is working on it. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Daniel Wittenberg [dwittenberg2...@gmail.com] Received: Tuesday, 10 Dec 2013, 11:28am To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: cloudstack + vmware I was reading through the docs now that I have a basic setup going and it appears that you can’t really have CS manage a current VMware environment, if I read this right: “Make sure the hypervisor hosts do not have any VMs already running before you add them to CloudStack” So if there now way to just bring CS into an existing environment to take over management or do you really have to build a new environment with it? Thanks! Dan
RE: Improving SSVM performance
there is a global settting under the vmware section. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Sean Hamilton [s...@seanhamilton.co.uk] Received: Monday, 02 Dec 2013, 10:10pm To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Re: Improving SSVM performance Hey Simon, Is that done as the systemvm template is being uploaded, or can we edit it afterwards? Thanks, Sean On 28 November 2013 19:34, Simon Murphy simon.mur...@vifx.co.nz wrote: have you tried changing the default network adapter to vmxnet3? Sent from my Android phone using TouchDown (www.nitrodesk.comhttp://www.nitrodesk.com) -Original Message- From: Sean Hamilton [s...@seanhamilton.co.uk] Received: Friday, 29 Nov 2013, 4:10am To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Improving SSVM performance We run 4.2 with VMware hypervisor. We'd like to improve the SSVM performance, specifically when exporting and deploying templates. Does anyone have any guides on doing this at all? Thanks, Sean
RE: Improving SSVM performance
have you tried changing the default network adapter to vmxnet3? Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Sean Hamilton [s...@seanhamilton.co.uk] Received: Friday, 29 Nov 2013, 4:10am To: users@cloudstack.apache.org [users@cloudstack.apache.org] Subject: Improving SSVM performance We run 4.2 with VMware hypervisor. We'd like to improve the SSVM performance, specifically when exporting and deploying templates. Does anyone have any guides on doing this at all? Thanks, Sean
RE: ACS 4.2.1 - Multi-Zone vSphere Architecture
thanks. i found the management.cidr global setting that needs to be set to make the setup work. Sent from my Android phone using TouchDown (www.nitrodesk.com) -Original Message- From: Sanjeev Neelarapu [sanjeev.neelar...@citrix.com] Received: Wednesday, 27 Nov 2013, 6:12pm To: users@cloudstack.apache.org [users@cloudstack.apache.org]; d...@cloudstack.apache.org [d...@cloudstack.apache.org] Subject: RE: ACS 4.2.1 - Multi-Zone vSphere Architecture Hi, It is not mandatory to use single dedicated vlan in a multi zone environment. It is possible to have a dedicated VLAN at each site for vCenter, ESXi console ports and the system VM's, and then have the ACS server sitting in a separate VLAN that can route between both networks. Thanks, Sanjeev From: Simon Murphy [mailto:simon.mur...@vifx.co.nz] Sent: Monday, November 25, 2013 7:32 AM To: users@cloudstack.apache.org; d...@cloudstack.apache.org Subject: ACS 4.2.1 - Multi-Zone vSphere Architecture Hi all, Im after some guidance on setting up ACS 4.2.1 with vSphere in a multi zone environment. The only way I have been able to successfully build a zone to this point is by having vSphere, ESXi console ports, ACS and the reserved system range on a single VLAN. This is OK for a small, single site deployment but how does this translate for multiple zones? The docs suggest that configuring a single /20 range for management is desired, does that imply that that range should be stretched across sites? Should it be possible to have a dedicated VLAN at each site for vCenter, ESXi console ports and the system VM's, and then have the ACS server sitting in a separate VLAN that can route between both networks? I have been unsuccessful in getting his working to date so hopefully someone out there has some experience setting up a multi-site ACS/vSphere envoronment. Any guidance would be greatly appreciated! Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
ACS 4.2.1 - Multi-Zone vSphere Architecture
Hi all, Im after some guidance on setting up ACS 4.2.1 with vSphere in a multi zone environment. The only way I have been able to successfully build a zone to this point is by having vSphere, ESXi console ports, ACS and the reserved system range on a single VLAN. This is OK for a small, single site deployment but how does this translate for multiple zones? The docs suggest that configuring a single /20 range for management is desired, does that imply that that range should be stretched across sites? Should it be possible to have a dedicated VLAN at each site for vCenter, ESXi console ports and the system VM's, and then have the ACS server sitting in a separate VLAN that can route between both networks? I have been unsuccessful in getting his working to date so hopefully someone out there has some experience setting up a multi-site ACS/vSphere envoronment. Any guidance would be greatly appreciated! Simon Murphy Solutions Architect ViFX | Cloud Infrastructure Level 7, 57 Fort Street, Auckland, New Zealand 1010 PO Box 106700, Auckland, New Zealand 1143 M +64 21 285 4519 | S simon_a_murphy www.vifx.co.nzhttp://www.vifx.co.nz/ follow us on twitterhttps://twitter.com/ViFX Auckland | Wellington | Christchurch [cid:image003.jpg@01CDDF95.815BF160] experience. expertise. execution. This email and any files transmitted with it are confidential, without prejudice and may contain information that is subject to legal privilege. It is intended solely for the use of the individual/s to whom it is addressed in accordance with the provisions of the Privacy Act (1993). The content contained in this email does not, necessarily, reflect the official policy position of ViFX nor does ViFX have any responsibility for any alterations to the contents of this email that may occur following transmission. If you are not the addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this email. If you are not the intended recipient, please notify the sender prior to deleting this email message from your system. Please note ViFX reserves the right to monitor, from time to time, the communications sent to and from its email network.
